[isapros] Re: Exchange NSPI Proxy RPC Communications and ISA
- From: "Jason Jones" <Jason.Jones@xxxxxxxxxxxxxxxxx>
- To: <isapros@xxxxxxxxxxxxx>
- Date: Wed, 16 Aug 2006 08:57:32 +0100
:-)
Jason Jones | Silversands Limited | T: 01202 360489 | M: 07971 500312 | F:
01202 360900 | E: jason.jones@xxxxxxxxxxxxxxxxx
-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
Behalf Of Jim Harrison
Sent: 16 August 2006 02:41
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: Exchange NSPI Proxy RPC Communications and ISA
There is - this was a clear case of borking.
That's a much more complex (and effective) form of f#$%$ing up your system.
-------------------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
-------------------------------------------------------
-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
Behalf Of Thomas W Shinder
Sent: Tuesday, August 15, 2006 18:45
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: Exchange NSPI Proxy RPC Communications and ISA
I figured there was an "anti-hork" feature in the ISA CSS replication engine ;)
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> Sent: Tuesday, August 15, 2006 8:34 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: Exchange NSPI Proxy RPC Communications and ISA
>
> Replication is a wonderful thing...
>
>
> -------------------------------------------------------
> Jim Harrison
> MCP(NT4, W2K), A+, Network+, PCG
> http://isaserver.org/Jim_Harrison/
> http://isatools.org
> Read the help / books / articles!
> -------------------------------------------------------
>
>
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
> Sent: Tuesday, August 15, 2006 18:10
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: Exchange NSPI Proxy RPC Communications and ISA
>
> Hey, wait a minute. There should be multiple CSSs, so did the storage
> get horked on all of them?
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://blogs.isaserver.org/shinder/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
>
>
>
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> > Sent: Tuesday, August 15, 2006 7:25 PM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: Exchange NSPI Proxy RPC
> Communications and ISA
> >
> > Yep - somehow he managed to completely bork his storage.
> > We're almost to the point of a complete rebuild <sigh>.
> > I'm actually doing a registry compare to see if I can sort
> out what he
> > broke.
> >
> > -------------------------------------------------------
> > Jim Harrison
> > MCP(NT4, W2K), A+, Network+, PCG
> > http://isaserver.org/Jim_Harrison/
> > http://isatools.org
> > Read the help / books / articles!
> > -------------------------------------------------------
> >
> >
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
> > Sent: Tuesday, August 15, 2006 17:20
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: Exchange NSPI Proxy RPC
> Communications and ISA
> >
> > Is it a real problem, and dealing with jughead the enterprise admin?
> >
> > Thomas W Shinder, M.D.
> > Site: www.isaserver.org
> > Blog: http://blogs.isaserver.org/shinder/
> > Book: http://tinyurl.com/3xqb7
> > MVP -- ISA Firewalls
> >
> >
> >
> > > -----Original Message-----
> > > From: isapros-bounce@xxxxxxxxxxxxx
> > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> > > Sent: Tuesday, August 15, 2006 6:58 PM
> > > To: isapros@xxxxxxxxxxxxx
> > > Subject: [isapros] Re: Exchange NSPI Proxy RPC
> > Communications and ISA
> > >
> > > Not yet - been critsitting between postings.
> > > ..or the other way 'round...
> > >
> > > -------------------------------------------------------
> > > Jim Harrison
> > > MCP(NT4, W2K), A+, Network+, PCG
> > > http://isaserver.org/Jim_Harrison/
> > > http://isatools.org
> > > Read the help / books / articles!
> > > -------------------------------------------------------
> > >
> > >
> > > -----Original Message-----
> > > From: isapros-bounce@xxxxxxxxxxxxx
> > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
> > > Sent: Tuesday, August 15, 2006 14:44
> > > To: isapros@xxxxxxxxxxxxx
> > > Subject: [isapros] Re: Exchange NSPI Proxy RPC
> > Communications and ISA
> > >
> > > Jim,
> > >
> > > Any luck with this?
> > >
> > > -----Original Message-----
> > > From: isapros-bounce@xxxxxxxxxxxxx
> > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> > > Sent: 14 August 2006 00:52
> > > To: isapros@xxxxxxxxxxxxx
> > > Subject: [isapros] Re: Exchange NSPI Proxy RPC
> > Communications and ISA
> > >
> > > Absotively.
> > > Send it on.
> > >
> > > -----Original Message-----
> > > From: isapros-bounce@xxxxxxxxxxxxx
> > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
> > > Sent: Sunday, August 13, 2006 3:08 PM
> > > To: isapros@xxxxxxxxxxxxx
> > > Subject: [isapros] Re: Exchange NSPI Proxy RPC
> > Communications and ISA
> > >
> > > Yeah I know, have the same issues when looking at closed
> betas with
> > > cool features which could really help out some of my
> > customers. Shame
> > > the NDA doesn't extend to MS partners though...
> > >
> > > PSS dude said that all KB articles related to a RPC
> problems where
> > > based upon using a large number of clients. He also said
> > that as this
> > > issue was happening before the DR problems I couldn't include it
> > > within the DR call and I would have to log another
> call...great! :-(
> > >
> > > If I give you the SRQ number, is there any chance you could
> > point him
> > > in the right direction? Pretty please :-)
> > >
> > > -----Original Message-----
> > > From: isapros-bounce@xxxxxxxxxxxxx
> > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> > > Sent: 13 August 2006 22:47
> > > To: isapros@xxxxxxxxxxxxx
> > > Subject: [isapros] Re: Exchange NSPI Proxy RPC
> > Communications and ISA
> > >
> > > I wish I could say more, but I'm bound by NDA...
> > > The KB is on its way out the door and your PSS dewd need
> > only do a bit
> > > of research.
> > >
> > > -------------------------------------------------------
> > > Jim Harrison
> > > MCP(NT4, W2K), A+, Network+, PCG
> > > http://isaserver.org/Jim_Harrison/
> > > http://isatools.org
> > > Read the help / books / articles!
> > > -------------------------------------------------------
> > >
> > >
> > > -----Original Message-----
> > > From: isapros-bounce@xxxxxxxxxxxxx
> > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
> > > Sent: Sunday, August 13, 2006 14:41
> > > To: isapros@xxxxxxxxxxxxx
> > > Subject: [isapros] Re: Exchange NSPI Proxy RPC
> > Communications and ISA
> > >
> > > Whilst PSS logging a call to get some feedback on the DR
> > issues I've
> > > had with ISA, I mentioned this "new KB artilce"
> > > and the chap i was dealing with was pretty clueless about
> > it (amongst
> > > other things!).
> > >
> > > You are really starting to become a tease with this
> artitcle, as it
> > > may solve two problems now! :-P
> > >
> > > ________________________________
> > >
> > > From: isapros-bounce@xxxxxxxxxxxxx
> > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> > > Sent: 13 August 2006 19:15
> > > To: isapros@xxxxxxxxxxxxx
> > > Subject: [isapros] Re: Exchange NSPI Proxy RPC
> > Communications and ISA
> > >
> > >
> > >
> > > Not insinuating anything of the sort...
> > >
> > > Keep your eyes open for that KB that deals in Outlook MAPI
> > > connections; I bet it'll help you out here, too.
> > >
> > >
> > >
> > > From: isapros-bounce@xxxxxxxxxxxxx
> > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
> > > Sent: Sunday, August 13, 2006 2:22 AM
> > > To: isapros@xxxxxxxxxxxxx
> > > Subject: [isapros] Re: Exchange NSPI Proxy RPC
> > Communications and ISA
> > >
> > >
> > >
> > > All relationships are route = I know intradomain is only
> supported
> > > this way - I'm not a complete newb at this ;-)
> > >
> > >
> > >
> > > Complicated setup I know, but pretty much 99% working apart
> > from this
> > > issue and teh RPC filter failings (other post)
> > >
> > >
> > >
> > > Tried with and without strict RPC - no dice, same issues...
> > >
> > >
> > >
> > > Internet FW is hardware appliance (dumb packet filter)
> > >
> > >
> > >
> > >
> > >
> > > ________________________________
> > >
> > > From: isapros-bounce@xxxxxxxxxxxxx
> > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> > > Sent: 13 August 2006 01:43
> > > To: isapros@xxxxxxxxxxxxx
> > > Subject: [isapros] Re: Exchange NSPI Proxy RPC
> > Communications and ISA
> > >
> > > Ah, yes.
> > >
> > > While this is a desirable design, it's also a very difficult one.
> > >
> > > What are the network relationships between the networks?
> > >
> > > For instance:
> > >
> > > ExchFE ßà Exch BE == Route
> > >
> > > ...?
> > >
> > > Have you disabled Strict RPC on the relevant rules?
> > >
> > >
> > >
> > > NAT ain't happenin' FWIW...
> > >
> > > What's the "Internet FW"?
> > >
> > >
> > >
> > > From: isapros-bounce@xxxxxxxxxxxxx
> > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
> > > Sent: Saturday, August 12, 2006 3:18 PM
> > > To: isapros@xxxxxxxxxxxxx
> > > Subject: [isapros] Re: Exchange NSPI Proxy RPC
> > Communications and ISA
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > ________________________________
> > >
> > > From: isapros-bounce@xxxxxxxxxxxxx
> > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> > > Sent: 12 August 2006 22:41
> > > To: isapros@xxxxxxxxxxxxx
> > > Subject: [isapros] Re: Exchange NSPI Proxy RPC
> > Communications and ISA
> > >
> > > Maybe a napkin drawing, then?
> > >
> > > I don't understand how your BE needs specific rules unless its
> > > separated from the DC by ISA?
> > >
> > >
> > >
> > > From: isapros-bounce@xxxxxxxxxxxxx
> > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
> > > Sent: Saturday, August 12, 2006 2:19 PM
> > > To: isapros@xxxxxxxxxxxxx
> > > Subject: [isapros] Re: Exchange NSPI Proxy RPC
> > Communications and ISA
> > >
> > >
> > >
> > > No, not confused, and realise the difference between RPC/HTTP and
> > > MAPI. I guess I am obviously not explaining myself very
> well with a
> > > complex environment and the problem very specific.
> > >
> > >
> > >
> > > >>AS such, any NSPI connections are strictly the problem of
> > > the BE server.
> > >
> > >
> > >
> > > Not in this scenario, as the BE is in an ISA protected network
> > > seperated from the DCs and FEs. The rule that allows access from
> > > BE=>DCs is using RPC (All interfaces) and yet ISA is
> > blocking traffic
> > > from the NSPI proxy when using RPC/HTTP.
> > > All other RPC traffic from BE=>DCs is working as expected
> > and ISA is
> > > detecting the RPC dynamic ports correctly.
> > >
> > >
> > >
> > > If I allow All outbound protocols from BE=>DCs the NSPI
> proxy works
> > > and I see ports 1025. 1026 etc being used. It seems as if ISA is
> > > missing the intitial RPC negations between the NSPI proxy
> > and DCs and
> > > hence blocks all dynamic ports after 135 is contacted.
> > >
> > >
> > >
> > > Maybe I need to provide some diagrams and/or better
> desacirptions...
> > >
> > >
> > >
> > > JJ
> > >
> > >
> > >
> > > ________________________________
> > >
> > > From: isapros-bounce@xxxxxxxxxxxxx
> > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> > > Sent: 12 August 2006 16:55
> > > To: isapros@xxxxxxxxxxxxx
> > > Subject: [isapros] Re: Exchange NSPI Proxy RPC
> > Communications and ISA
> > >
> > > I think you're confused; RPC/HTTP doesn't use MAPI; it's
> > "just" HTTP
> > > traffic.
> > >
> > > AS such, any NSPI connections are strictly the problem of the BE
> > > server.
> > >
> > >
> > >
> > > The only way ISA handles RPC traffic is via Exchange RPC or
> > RPC (All
> > > interfaces) rules.
> > >
> > >
> > >
> > > From: isapros-bounce@xxxxxxxxxxxxx
> > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
> > > Sent: Friday, August 11, 2006 5:13 PM
> > > To: isapros@xxxxxxxxxxxxx
> > > Subject: [isapros] Exchange NSPI Proxy RPC Communications and ISA
> > >
> > >
> > >
> > > Hi,
> > >
> > > Bit of a shot in the dark, as this is a strange issue, but hoping
> > > someone can confirm what I am seeing.
> > >
> > > Basically, I have a pretty secure Exchange environment
> whereby both
> > > Exchange FE's and BE's are on ISA protected perimeter
> networks with
> > > the external network connected to the 'traditional LAN'
> > e.g., ISA is
> > > acting as a multinetwork internal firewall to
> specifically protect
> > > Exchange from the internal network (all routed
> > relationships). In this
> > > scenario, ISA is controlling all communications to and from
> > Exchange
> > > and all email client access is published using web publishing or
> > > secure RPC publishing.
> > >
> > > Up until now everything has been working pretty well (apart
> > from the
> > > other RPC filter issues in my other posts!) but we have
> > come across a
> > > specific issue when using RPC/HTTP as follows:
> > >
> > > The problem seems to lie with the fact that the back-end Exchange
> > > server is talking to the GCs and ISA is seeing these
> connections as
> > > newly initiated connections (e.g. non RPC) as opposed to
> detecting
> > > them as dynamic ports which have been defined as part of the RPC
> > > handshake process. Therefore, ISA is dropping these
> connections and
> > > prevents the back-end server from communicating with the GCs,
> > > specifically for RPC/HTTP (e.g. when using the NSPI proxy).
> > All other
> > > communications which relate to RPC and ISA's ability to
> > detect dynamic
> > > RPC ports is being done successfully (e.g.
> > > MAPI communications from Outlook to Exchange). It looks
> to me as if
> > > the back-end Exchange server is initiating it own
> connections which
> > > ISA sees as communications independent of RPC. The issue
> > only appears
> > > to arise when the back-end servers proxy the client AD
> > communication
> > > (e.g. when using the NSPI proxy), as is the case with RPC/HTTP,
> > > because Outlook clients have no access to the GCs from
> the Internet.
> > > For standard MAPI clients, they are simply given a
> referral to the
> > > actual GCs which they communicate with directly, independent of
> > > Exchange (e.g. not using NSPI proxy).
> > >
> > > Does this sounds familiar? Is Exchange doing something
> > weird here or
> > > is ISA missing the RPC dynamic port negotiations?
> > >
> > > Looking at the ISA logs, I see ports 1025, 1027, 1030 etc.
> > > being used by the NSPI proxy which I am pretty sure are
> going to be
> > > the kind of ports dynamic RPC would use. If I add the
> > ephemeral ports
> > > (1024-65535) to the existing BE=>GC rule everything work
> > just fine. If
> > > I limit ports to standard intradomain protocols including
> RPC then
> > > everything works apart from RPC/HTTP and I start seeing
> ports 1025,
> > > 1027 etc.
> > > being denied by ISA as unidentified traffic.
> > >
> > > Answers on a postcard! ;-)
> > >
> > > Cheers
> > >
> > > JJ
> > >
> > > All mail to and from this domain is GFI-scanned.
> > >
> > > All mail to and from this domain is GFI-scanned.
> > >
> > > All mail to and from this domain is GFI-scanned.
> > >
> > > All mail to and from this domain is GFI-scanned.
> > >
> > >
> > > All mail to and from this domain is GFI-scanned.
> > >
> > >
> > >
> > >
> > >
> > >
> > > All mail to and from this domain is GFI-scanned.
> > >
> > >
> > >
> > >
> > >
> > >
> > > All mail to and from this domain is GFI-scanned.
> > >
> > >
> > >
> > >
> >
> >
> > All mail to and from this domain is GFI-scanned.
> >
> >
> >
> >
>
>
> All mail to and from this domain is GFI-scanned.
>
>
>
>
All mail to and from this domain is GFI-scanned.
Other related posts:
